A framework for continuous, transparent authentication on mobile devices

(1)

Glasgow Theses Service http://theses.gla.ac.uk/

[email protected]

Crawford, Heather Anne (2012) A framework for continuous, transparent

authentication on mobile devices.

PhD thesis

http://theses.gla.ac.uk/4046/

Copyright and moral rights for this thesis are retained by the author

A copy can be downloaded for personal non-commercial research or

study, without prior permission or charge

This thesis cannot be reproduced or quoted extensively from without first

obtaining permission in writing from the Author

The content must not be changed in any way or sold commercially in any

format or medium without the formal permission of the Author

When referring to this work, full bibliographic details including the

author, title, awarding institution and date of the thesis must be given

(2)

A F

RAMEWORK FOR

C

ONTINUOUS

,

T

RANSPARENT

A

UTHENTICATION ON

M

OBILE

D

EVICES

H

EATHER

A

NNE

C

RAWFORD

SUBMITTED IN FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF

Doctor of Philosophy

S

CHOOL OF

C

OMPUTING

S

CIENCE

C

OLLEGE OF

S

CIENCE AND

E

NGINEERING

U

NIVERSITY OF

G

LASGOW

DECEMBER2012

c

(3)

Abstract

Mobile devices have consistently advanced in terms of processing power, amount of mem-ory and functionality. With these advances, the ability to store potentially private or sensi-tive information on them has increased. Traditional methods for securing mobile devices, passwords and PINs, are inadequate given their weaknesses and the bursty use patterns that characterize mobile devices. Passwords and PINs are often shared or weak secrets to amelio-rate the memory load on device owners. Furthermore, they represent point-of-entry security, which provides access control but not authentication. Alternatives to these traditional meth-ods have been suggested. Examples include graphical passwords, biometrics and sketched passwords, among others. These alternatives all have their place in an authentication tool-box, as do passwords and PINs, but do not respect the unique needs of the mobile device environment.

This dissertation presents a continuous, transparent authentication method for mobile devices called the Transparent Authentication Framework. The Framework uses behavioral biomet-rics, which are patterns in how people perform actions, to verify the identity of the mobile device owner. It is transparent in that the biometrics are gathered in the background while the device is used normally, and is continuous in that verification takes place regularly. The Framework requires little effort from the device owner, goes beyond access control to pro-vide authentication, and is acceptable and trustworthy to device owners, all while respecting the memory and processor limitations of the mobile device environment.

(4)

Acknowledgements

First, to my supervisors, Dr Karen Renaud and Dr Tim Storer. I couldn’t have asked for more dedicated people to help me along this path. Thank you for the wisdom, guidance and sympathetic ear. Having two supervisors was sometimes a challenge, but I wouldn’t have had it any other way. Thank you to my SICSA supervisor, Dr Mark Dunlop of the University of Strathclyde; mobile devices and user studies are demystified largely due to your help. No one does this kind of work on their own. I have a lot of people to thank for providing help on various details of the research contained herein. In no particular order, thank yous go to Julie Williamson, Simon Rogers, John Williamson, Marilyn McGee-Lennon, David Masters, and Alessandro Vinciarelli. Special thanks go to John Aycock. You listened, read drafts and provided support even though you’re not my supervisor this time!

No small mention goes to the people who participated in the user studies in this work. With-out you, this would have been impossible, so thank you. Thank you to SICSA for the stu-dentship and the chance to expand my knowledge through masterclasses, workshops and talks from Distinguished Visitors. I’d also like to thank the University of Glasgow College of Science and Engineering for the scholarship.

Last, but never, ever least: thank you to my husband, Paul. You’ve stood by me through it all; I can’t possibly express how grateful I am for your unwavering love and support.

(5)

(6)

List of Tables

1.1 Transparent Authentication Framework solution . . . 5

2.1 Traits of selected physiological biometrics . . . 19

2.2 Characteristics of selected behavioral biometrics . . . 21

2.3 Generic confusion matrix for a two-class decision problem . . . 31

3.1 Components of Different Event Objects . . . 48

4.1 Number of Keystrokes, Bigrams and Patterns collected . . . 75

4.2 Pattern Classifier Results . . . 77

4.3 Distribution shape for EER and AUC values . . . 83

4.4 EER and AUC medians for all classifiers . . . 84

5.1 Pattern Classifier Results . . . 100

5.2 Distribution shape for EER and AUC values . . . 102

5.3 EER and AUC statistical significance results . . . 102

6.1 Summary of score-level biometric fusion methods . . . 110

6.2 Summary of probability-based score-level biometric fusion methods. . . 110

6.3 Biometric combination term definitions . . . 112

6.4 EER values for combination methods . . . 120

6.5 AUC values for combination methods . . . 121

6.6 EER and AUC distribution shape test results . . . 125

6.7 EER and AUC statistical significance tests . . . 126

(12)

7.2 Statistical significance results for explicit authentication and disabling trans-parent authentication frequency . . . 146 7.3 Pairwise statistical significance test results for explicit authentication frequency147 7.4 Pairwise statistical significance test results for disabling transparent

(13)

List of Figures

2.1 Relationship between the three access control factors. . . 10

2.2 Relationship between EER, FAR and FRR . . . 32

2.3 Sample ROC curve . . . 34

2.4 Pattern classification workflow . . . 39

2.5 Neural network example . . . 41

3.1 Transparent Authentication Framework in the access control domain . . . . 45

3.2 Transparent Authentication Framework general flow . . . 46

3.3 Input Event Object buffers . . . 49

3.4 Multimodal biometric calculations to update device confidence . . . 54

3.5 Mapping of device confidence to task or data threshold . . . 55

3.6 The two methods by which device confidence is recalculated . . . 55

3.7 Biometric lifecycle . . . 58

4.1 Keystroke metrics . . . 66

4.2 KeystrokeData application screenshots . . . 67

4.3 iPhone keyboard characters . . . 68

4.4 Details of Pattern, Keystroke, and Bigram classes . . . 69

4.5 Relationship between Pattern, Keystroke and Bigram objects . . . 70

4.6 Proportion of owner and rest-of-world patterns . . . 76

4.7 Mean key hold times for Owner and World patterns . . . 80

4.8 Mean inter-key latency times for Owner and World patterns . . . 81

5.1 Screenshots of the VoiceData application . . . 94

(14)

6.1 Overlap between two probabilities . . . 113

6.2 Procedure for multimodal biometric fusion . . . 117

6.3 Comparison of multimodal decisions to known classes . . . 118

6.4 ROC curves for Owner5 over all classifiers . . . 123

7.1 TAP application setup screen . . . 131

7.2 TAP application screenshots . . . 132

7.3 TAP application individual task screens . . . 134

7.4 TAP application support screens . . . 135

7.5 Device confidence visualizations . . . 137

7.6 Security mechanisms used by participants . . . 140

7.7 Participant task security choices . . . 142

7.8 Explicit authentication frequency . . . 146

7.9 Disabling transparent authentication frequency . . . 148

7.10 Participant perceptions of task difficulty . . . 150

7.11 Perceptions of data protection provided by transparent authentication . . . . 151

7.12 Comparison of device security . . . 152

(15)

1

Chapter 1 Introduction

In 1965, Gordon Moore predicted that the number of transistors on integrated circuits would double every two years [1]. His prediction, now known as Moore’s Law, has been stated in a more colloquial manner: the processor speed of computers will double every two years. Since its inception, this prediction has guided the computer industry, in terms of both re-search and manufacturing.

Computers continue to improve. Performance increases in terms of memory, processor speed and functionality with great regularity. This is especially evident with mobile devices. Once simple telephony tools, mobile devices have become fully-fledged computing environments. Their features, functionality and near-constant connection to the Internet and mobile service providers has unbound people from their desktop and laptop computers. This freedom does not, however, come without cost. The improvements in processor speed, amount of memory, functionality and features allow us to work (and play) more than ever before. Accordingly, mobile device popularity has soared – in 2011, 488 million smartphones were sold, which is more than desktop and laptop computers combined [2]. Their ubiquity and features mean mobile devices now store more information than ever before, some of it personal or person-ally identifying [3]. Furthermore, we have come to depend on them to provide access to services such as email and the Internet, among others, and are often at a loss if they are not present. Due to the nature and amount of data now stored on these devices, a security method for protecting access to this information is required.

1.1 The Problem

The motivation for this work comes from several areas. Modern mobile devices are now able to perform potentially risky tasks such as the ability to store (corporate and personal) data, and e-transactions such as making purchases or online banking. With such broad access to

(16)

1.1. The Problem 2 services comes the ability (and responsibility) to store and access increasingly personal (and personally identifying) information about the device owner and their activities. This in turn indicates the need for a way of protecting this data from those who should not have access to it – the authentication problem.

Current authentication methods are known to have issues with strength and memorability [4, 5]. The real issue is not that passwords are broken – they have their place in a toolbox of authentication schemes, and are particularly useful in situations where humans are excluded. For instance, computers authenticate to each other, and can remember long, complicated passwords with ease. The overarching problem is with humans – the memory-load put onto users to remember several long passwords encourages the use of coping mechanisms such as reuse and sharing [4, 6]. Furthermore, the bursty nature that characterizes mobile device use [7, 8] means that the device owner must enter their password frequently. This represents a significant inconvenience and may encourage the device owner to subvert the security mechanism.

The problems with current authentication methods are informed by the following standing issues in computer security, which also provide a basis for this research:

The Password Problem has been described as the willingness of users, despite advice and requirements to the contrary, to choose weak passwords and share, reuse and write them down. This problem is based on the proposition that “strong” passwords (i.e., those that are difficult to break: long, with various cases, special characters, and num-bers) are often difficult to create and to remember. This problem is exacerbated when users require different strong passwords for each of the approximately 25 separate accounts the average user has [9]. Furthermore, passwords and PINs provide binary access control. Once the secret knowledge is entered, access to all protected data and functionality is allowed. In this way, resources are either protected or unprotected; there is no nuanced control over the level of protection.

Disconnect between Mental Models and Password Security: This problem refers to the idea that users have a skewed vision of the dangers associated with security methods, especially with password reuse and sharing. Many users do not believe they are at risk, or that they have “anything worth having” [10]. Furthermore, the threats linked with using weak password practices such as identity theft, fraud and account abuse are considered distant threats by many users. There is no conclusive proof that a strong password will protect users from such threats, or, conversely, that a weak password does indeed make them more vulnerable since there is no way to link the possibility of a threat to an actual instance of the threat’s occurrence. This disconnect between the mind-model and the security of a password ensures that passwords and similar authentication methods will be adjusted by users to make them more usable.

(17)

1.2. The Solution: Teaching Computers to “Know” Their Owner 3 Inflexibility in Authentication Policy creation: In direct response to fears regarding threats

due to password weakness, many organizations have imposed significant authentica-tion policies on their employees. Such policies, in terms of passwords, define the required length, character set and change frequency for passwords used to gain access to company resources. Such policies are known to not only force users to circumvent them in order to cope [4, 11], but also to provide a reduced search space to potential attackers.

Other security methods for mobile devices have been proposed, including sketched pass-words1_{, biometrics [12–14] and graphical passwords [15, 16]. Each of these solutions also}

has issues similar to those with passwords and PINs. They are effortful, have memorability issues, and provide point-of-entry protection. The solution to this problem should take these issues into account when proposing an alternative to traditional authentication mechanisms.

1.2 The Solution: Teaching Computers to “Know” Their

Owner

Mobile devices are fully-fledged computing platforms, and this has opened up an attack vec-tor that is not effectively managed by current authentication mechanisms. Device owners cope with the current mechanisms in insecure ways. A solution to the mobile device authen-tication problem is something that is as effortless as possible, and provides protection that goes beyond point-of-entry security. A solution to the mobile device authentication problem should have the following attributes:

1. Require less effort than current authentication methods [17];

2. Go beyond access control and point-of-entry solutions to protect data and functionality at a more granular level [17];

3. Authenticate users continuously to maintain confidence in their identity [17];

4. Provide a security method that is acceptable and considered trustworthy by device owners;

5. Respect the needs of the mobile device environment in terms of its bursty nature as well as its limitations in both processor speed and memory.

(18)

1.3. The Transparent Authentication Framework 4

1.3 The Transparent Authentication Framework

This dissertation introduces the Transparent Authentication Framework: a framework to sup-port the creation of a mechanism that provides continuous, transparent authentication on mobile devices. The Framework uses patterns in how users perform regular device actions to affect the mobile device’s knowledge of who is currently using it. In this research, the mobile device’s level of certainty that the current user is the device owner is called device confidence. Behavioral biometrics, which are patterns in user actions, are used to inform device confidence levels. A biometric match increases device confidence, and a non-match lowers it. The tasks and data on the device are mapped to particular device confidence levels. For instance, highly private data such as a list of passwords may be assigned a high secu-rity level. If this level is higher than the current device confidence, then access to the data or functionality is denied. In the event that the device confidence is too low to accomplish a particular task, the legitimate device owner may use an explicit authentication method to increase their device confidence. If the device is no longer being used, the device confidence will lower over time. Eventually, the user will have access to only very basic functionality, but device confidence can be increased again via biometrics or explicit authentication. The Framework provides a solution to the mobile device authentication problem by address-ing each of the attributes given in the previous section. It does so in the followaddress-ing ways: Reduces user effort by using behavioral biometrics, which can be gathered while the device

owner uses the device in their normal manner. Two biometrics were tested for this purpose: keystroke dynamics and speaker verification. The former uses patterns in the way we type and the latter uses patterns in the way we speak;

Goes beyond access control by using biometrics in combination with explicit methods to verify the identity of the device owner;

Authenticates continuously by collecting biometrics and using them regularly to increase device confidence. Storing the biometrics and replacing them with newer samples frequently further supports the continuous nature by allowing recalculation even when the device owner is not currently using the device.

Provides an acceptable and trustworthy security method as evidenced by user studies con-ducted as part of this research.

Respects the limitations of mobile devices by requiring only the hardware already on the device and minimizing processor and memory use by selecting biometrics and classi-fiers that are simple and have minimal processing needs.

(19)

1.4. Research Question 5 These contributions are summarized in Table 1.1. The first column identifies the require-ments for a transparent authentication method for mobile devices; the second column spec-ifies how the Transparent Authentication Framework meets the requirement. The third col-umn lists an attribute provided by the Framework that meets the requirement in question. The final column shows which chapter of this dissertation contains the explanation or exper-imental work that supports each stated feature.

Requirement How Met Attribute Chapter Less user effort Behavioral biometrics Transparency 4, 5 Beyond access control Authentication provision, task mapping Authentication 3 Continuous authentication Continuous device

confidence recalculation, task mapping

Continuousness 3 Acceptable,

trustworthy method

User study into perceptions Acceptability, trustworthiness

7 Respects mobile

environment

Uses minimal hardware and efficient algorithms

Minimality 6, 7

Table 1.1: How the Transparent Authentication Framework meets the needs for a mobile device authentication solution.

The Transparent Authentication Framework is a potential solution to the mobile device au-thentication problem. Its creation is driven by the research question and hypotheses stated in the next section.

1.4 Research Question

This research is based on the following research question:

It is possible to verify the identity of the current user of a mobile device in a secure, continuous, transparent and passive manner by using a combination of behavioral biometrics. Such authentication will not normally require explicit owner action, but will instead rely on the owner’s usual interaction with the mo-bile device. Finally, such a transparent authentication method will be acceptable to device owners.

The following assumptions have been made in carrying out this research:

1. Mobile devices are single user devices (this may not be the case in all countries). This assumption reduces the complexity of the overarching problem of owner identification

(20)

1.5. Main Contributions of this Research 6 versus verification. The mobile device user is implicitly claiming a particular identity, that of device owner, when using the device. Therefore, the only biometric patterns that the gathered patterns must be compared to are those of the device owner.

2. Behavioral biometrics are not unique to a specific user. Instead, they are relatively distinctive and stable enough to support authentication in a small population [18–20], especially when combined into multimodal biometrics.

1.4.1 Research Hypotheses

The following research hypotheses are based on the above research question:

H1: Behavioral biometrics such as keystroke dynamics and speaker verification are suffi-ciently distinctive to contribute to verification of the identity of a mobile device owner. H2: Combining keystroke dynamics and speaker verification into a multimodal behavioral

biometric reduces the error rates seen with the individual biometrics.

H3: It is possible to gather keystroke dynamics and speaker verification biometrics while the mobile device user goes about other tasks on the device.

H4: Mobile device owners would consider using a transparent authentication method if it was available to them.

A framework that combines the above hypotheses is the major contribution this dissertation provides. The assertion in this research is that the Framework is device and operating system independent.

1.5 Main Contributions of this Research

This research contributes new knowledge to the field of mobile device security. Specifically, it provides the design for a framework upon which continuous, transparent mobile device se-curity may be based. The Transparent Authentication Framework goes beyond other similar models by keeping the owner’s private, identifying information on the device and making all decisions regarding identity on–device. Furthermore, the Framework uses multimodal bio-metrics to overcome some of the limitations of single biobio-metrics, and allows the developer who uses the Framework to choose not only the type but also the number of biometrics to include. Finally, this Framework allows the user to control the mapping of security level to the tasks and data available on the device; in other similar work, this is left to the developer.

(21)

1.6. Dissertation Structure 7 The following publications have resulted from exploring the research areas described in this dissertation, as follows:

Heather Crawford and Karen Renaud, “Invisible, Passive, Continuous, and Multimodal Authentication”. In Proceedings of the Mobile Social Signal Processing Workshop, 2010, to appear.

Heather Crawford, “Keystroke Dynamics: Characteristics and Opportunities”. In Proceed-ings of the 8th Annual Conference on Privacy, Security, and Trust (PST), 2010, pp. 205 – 212.

The following papers related to this research are currently under peer review:

Heather Crawford, Karen Renaud and Tim Storer. “A Framework for Continuous, Trans-parent Mobile Device Authentication”. Submitted to Computers & Security Special Issue on Active Authentication. (Under revision).

1.6 Dissertation Structure

This dissertation continues with a discussion of the background needed to understand the studies and research performed for this work, including an overview of the state-of-the-art in authentication research. Next, the Transparent Authentication Framework is presented in detail in Chapter 3. Then, the four user studies undertaken to justify the Framework’s inclusions are presented. These four feasibility studies examine keystroke dynamics (Chap-ter 4), speaker verification (Chap(Chap-ter 5), combining biometrics into multimodal authentica-tors (Chapter 6), and finally a study to gather user perceptions of transparent authentication (Chapter 7). Finally, the security issues inherent in the Framework are discussed in Chap-ter 8, and the conclusions and future work appear in ChapChap-ter 9.

(22)

8

Chapter 2 Background

This chapter introduces concepts and current research in the field of authentication. Topics covered begin with a discussion of current authentication methods and a discussion of the issues caused by widespread password use. Then, alternatives to passwords and their accep-tance by users are discussed. The focus of this research is on mobile device authentication, so subsequent sections focus on methods used on mobile devices. Biometrics, including physi-ological, behavioral and multimodal are then discussed, along with user acceptance of them, and methods of measuring biometric performance. The focus of the chapter then shifts to transparent authentication mechanisms and frameworks that support them, which often use biometrics as a basis. Finally, pattern classification concepts and research are discussed since they can be used to support biometric decision-making. The chapter concludes with a de-scription of the Transparent Authentication Framework and the terminology used throughout the dissertation. This chapter extends the motivation discussion given in the previous chapter.

2.1 Authentication and Access Control

Authentication and access control are linked concepts that are part of information and system security. Authentication verifies the identity of one person, process or computer to another. Access control determines what a person, process or computer may do with the resources mediated by another person, process or computer. Access control generally requires identi-fication followed by an authentication step that confirms the validity of the claimed identity. It is used as a means of limiting resource access to those who are pre-approved [21], and as a means of implementing a measure of accountability when using the protected resources. The access control problem has three components: identification, authentication and autho-rization [22]. This chapter (and research) is concerned with the first two of these components. User authentication, a special case of the broader topic of authentication, begins when a user

(23)

2.1. Authentication and Access Control 9 claims an identity, either explicitly by providing a username or a card with a chip that holds an identity, or implicitly by possessing a device. Next, the user provides some evidence to support this claim. This evidence is used to authenticate the user; if successful, the user is granted access to a protected resource. The authorization component mediates this stage by determining what resources may be accessed.

Authentication mechanisms are traditionally built upon one or more of the following three types of factors [22]:

1. Something you know: This is a secret that the user shares with the authentication sys-tem, such as a password, PIN or answer to a challenge question. This factor is known as a secret-knowledge technique. This recall-based method is often used as a form of authentication despite the fact that it can allow access to anyone who knows the shared secret rather than to a specific person. Secret knowledge can also be easy to share and to guess.

2. Something you have: These are usually tokens such as a smartcard, RFID chip, keyfob or other hardware token. This factor can be combined with something you know to provide additional security. Physical objects such as this can be easy to share with others, and can be lost or stolen. To manage theft and loss, there must be a method of canceling those tokens that are no longer possessed by the intended owner, which adds complexity to systems that use them. Users tend to find tokens cumbersome and inconvenient despite their widespread use [23].

3. Something you are: Biometrics, both physiological and behavioral, can be used to sup-port authentication. The latter is also referred to as something you do. Biometrics can be more difficult to impersonate or forge compared to knowledge or possessions, but are computationally more difficult to process. They can require more hardware than other methods, although behavioral biometrics often do not. Physiological examples include fingerprints, iris and retina scans and facial recognition. Behavioral examples include typing, voice–related and device use patterns.

These types of factors are related to each other as shown in Figure 2.1. For instance, keystroke dynamics measures typing patterns, and can be combined with secret knowledge entry, such as typing a password. Behavioral biometrics are an example of both something you are and know since our experiences and skills affect how we perform such actions, such as typing.

As research into authentication has progressed, more factors have been suggested, such as the following:

(24)

2.2. Textual Passwords and the Password Problem 10

Something

you have Something _{you know}

Something you are Physiological Biometrics Bank card Token Password PIN Behavioral Biometrics Bank card w/ PIN

Figure 2.1: Relationship between the three access control factors.

1. Someone you know: Using Bluetooth or some other short range communication method, the general area around the user is searched for people (or their hardware) who appear in the user’s social network [24]. These people are then asked to vouch for the user by confirming their identity.

2. Where you are: This factor encompasses location-based activities [25], particularly in ubiquitous computing environments [26]. These can take the form of comparisons to usual locations (i.e., if a person is in a location they visit frequently as opposed to someplace they have never been) or comparison of known calendar events to location. The factors listed here are often combined into multi-factor authentication solutions to in-crease the security provided by any one method, and to support their known weaknesses. Passwords and PINs in particular are used almost ubiquitously even though they have sig-nificant issues both in design and use that make them a poor choice for security provision in many situations.

2.2 Textual Passwords and the Password Problem

Passwords and other secret knowledge techniques are the most commonly-deployed authen-tication mechanism despite several problems [22]. They are familiar to users, and may not compromise privacy provided the user does not use publicly-known information in their pass-word choice. However, there is a well-understood trade-off, known as the passpass-word problem, between the security of a password (i.e., the difficulty for an attacker in guessing the secret) and the memorability of the password for the user. Typically, the harder a password is to guess for an attacker, the harder it may be for a legitimate user to remember. This trade-off between memorability and security has encouraged research into password strengthening and improved memorability in the form of alternatives to traditional passwords.

(25)

2.3. Alternatives to Passwords 11 Efforts into improving memorability and security have included password phrases [27] and mnemonic passwords [28], both of which attempt to create secure passwords with built–in memorability aids. Other research focuses on balancing rather than improving memorability and security, such as using persuasive technology to encourage users to select secure and memorable passwords [29]. In this approach, users are allowed to select a password and then additional characters are added at random positions to improve the password’s security. The users are then allowed to shuffle the characters to find a combination that is memorable. The result was that users chose more secure passwords overall, but they still tended to choose weak initial passwords to improve memorability.

Despite strong research interest in improving passwords and secret-knowledge techniques in general, there has been no single authentication mechanism of this type that is considered both secure and usable. It is likely, then, that rather than focusing on finding the single au-thentication mechanism that will be the panacea to all auau-thentication needs, research should focus on creating a toolbox of possible authentication methods that can be selected to suit a particular application’s needs. To this end, research into password alternatives has become an increasingly important field.

2.3 Alternatives to Passwords

The problems with traditional authentication mechanisms has not gone unnoticed in the re-search community; many alternatives to traditional textual passwords have been suggested. These include, but are not limited to, the following ideas:

Graphical passwords. This method relies on using either user-chosen or system-selected images to authenticate the user. Click-based graphical passwords [15, 30] consist of a series of n points on an image or series of images that the user has chosen during the enrolment process. During enrolment, the user chooses an image, then clicks on a series of memorable points on the image. The password is entered by subsequently clicking on the same points in the same order, within certain tolerances. Other methods require the user to select m pre-chosen images from a series of k > m distractor images [31, 32], or to draw a simple sketch on a grid of known size [33, 34]. Graphical passwords, while shown via lab studies to be usable and acceptable to users [35, 36], have not gained significant notice or use outside of laboratory studies. The reasons for this are not yet known, although Chiasson et al. postulate that it is because laboratory studies do not accurately mimic real-world use [36]. Based on the results of a lab study into the usability of graphical passwords, Stobert et al. [37] have argued that graphical passwords are potentially a useful security measure for mobile devices, both in terms of usability and expected security level. Their lab study did not explicitly

(26)

in-2.4. User Acceptance of Secret-Knowledge Mechanisms 12 clude usability studies for mobile devices, but instead opined that the ability to use a smaller image on a touch screen would lend itself well to a mobile environment.

Single Sign-On (SSO). Some SSO systems use a single strong password to secure a list of other passwords in order to reduce the user’s memory load. Detractors of password-based SSO systems note that the loss of the main password, no matter how strong it is considered, reveals all passwords it protects, and thus the other passwords are useless. The security level would be the same if the strong password were used on each of the accounts it protects rather than having different passwords. The hope of SSO supporters is that the main password will be strong enough and treated with enough respect that it will not be lost. This is a simple case of moving the security of each individual password to the main password. Since SSO systems can be complex in terms of overhead and initial setup, the lack of additional security over a single strong password is often not seen as worth the overhead SSO provides [38].

Transparent authentication. This method gathers samples of user behavior while go-ing about other tasks on a computer to produce a behavioral use pattern that can be used to verify the identity of the person using the resource. In this scenario, the user does not have to explicitly provide a sample for authentication (other than during enrolment in the authentication system); the expected benefit is that this may reduce frustration and improve security [39]. Transparent authentication may be implemented using biometrics, particu-larly behavioral since they are often easier to gather implicitly compared to physiological biometrics.

These alternatives to passwords and PINs are positive steps towards finding a viable authen-tication method for mobile devices. However, research has shown that these methods, as well as passwords and PINs, are not always accepted by users [40, 41].

2.4 User Acceptance of Secret-Knowledge Mechanisms

There has been a considerable amount of research that investigates the extent to which users will opt for secret-knowledge mechanisms, and the extent to which they understand their limitations. In a user study of mobile phone authentication practices, Kowalski and Goldstein found that users did not understand the security options available on mobile devices [42], specifically the difference between (and the existence of) the SIM PIN and the phone security code. Kowalski and Goldstein found that only 32% of users in their study were aware of the SIM PIN, and none of them chose to use it. Similarly, Botha et al. [43] distinguish between SIM and handset PINs and recognize that these are simply point-of-entry security mechanisms that have limited ability to provide content security. Botha et al. also state that

(27)

2.5. Mobile Device Authentication 13 PIN entry on mobile platforms may be tedious and annoying to the owner because “mobile users may simply wish to take the device out of their pocket to check a schedule entry and could therefore find that entering the password takes longer than the task itself.” [43, p. 3]. These concepts suggest the need for a more nuanced and effortless mechanism for mobile devices, as stated explicitly by Botha et al.

In a similar study, Clarke and Furnell found that 42% of respondents believed phone security codes (i.e., the handset PIN) provided an “adequate” level of security [44]. Despite the fact that fewer than half of respondents felt the security provided by the PIN was adequate, 66% of respondents used phone security code authentication when first starting up their device, and 18% also used it to awake from standby. These statistics present an impression of users’ mental model of security – fewer than half of respondents felt that their device was adequately protected, and yet a significant number regularly “secure” their device with a phone security code. This may be due to users choosing a “something is better than nothing” approach to security, in which they choose to use what is available despite their perceptions of its inadequacy. In a follow-up study, Karatzouni et al. [23] confirmed these findings, and state that users did not believe they had anything worth protecting on their mobile device. While the alternatives to passwords discussed in this section help provide support for a tool-box of authentication mechanisms, they all have issues that prevent them from being the best choice for all authentication needs. In particular, the popularity and ubiquity of smartphones has increased the need for authentication mechanisms that are specifically tailored to these devices. One compelling reason is that they are increasingly able to store and transmit per-sonal information [3], and their mobile nature and susceptibility to loss and theft make them particularly difficult to protect.

2.5 Mobile Device Authentication

The previous section has argued for mobile device authentication methods that are tailored to the nature of the device. One difference between desktop or laptop computers and mobile devices is that they are used very differently. Mobile device use patterns are often character-ized by short, bursty intervals [7, 8, 45]. This means that mobile device owners tend to use their device frequently, but for short periods of time. Current mobile device authentication methods, including those discussed below, do not lend themselves well to frequency. Having to enter knowledge-based access control frequently may cause device owners to disable the security mechanism to reduce frustration.

Mobile devices are generally single-user devices, as evidenced by the lack of a multi-user model in the major mobile operating systems. Thus, access control is reduced to verification since the user assumes the identity of the device owner while using it. Many methods of

(28)

2.5. Mobile Device Authentication 14 controlling non-owner access to a mobile device have been studied. Two common methods are passwords and PINs, including the Android sketched password. Quite apart from the known weaknesses of knowledge-based mechanisms, they are of limited utility given that they only protect the device at point-of-entry. This means that once the password or PIN has been verified, the device can be used to its full extent. Furthermore, in this context, since knowledge-based authentication verifies knowledge of a secret and not the identity of the knowledge bearer, this kind of mechanism is somewhat unsatisfactory. If passwords for other applications are stored on the device, then a potential intruder also has access to these applications without authenticating further.

Like other computer systems, passwords and PINs are commonly-used security provisions on mobile devices [44]. There are two types of mobile device PINs [44, 46]; the handset PIN, which protects the handset itself and the data stored in its memory from unauthorized use, and the SIM PIN, which protects the use of and data stored on the SIM card. The handset PIN is the one that most users think of when asked about a mobile device PIN; many people do not realize that in using only this PIN, they are leaving unprotected a significant amount of potentially private information stored on the SIM card. As an example of the difference between the two PINs, note that even with the handset PIN enabled, it is possible to remove a device SIM and use it in another device.

In addition to PINs, which can have a variable number of digits, some mobile devices al-low the use of standard alphanumeric passwords. These are different from PINs not only in length, but in possible character sets. Having a larger set of characters to choose from allows for more possible passwords. However, as was discussed previously, passwords on all platforms fall victim to the struggle between memorability and security. This holds on mobile devices as well.

In an attempt to move away from alphanumeric passwords and PINs, some device manufac-turers have employed a sketch-based password, in which the user joins a series of points on a grid in a sequence. The order of the points defines the password. While quite memorable, they are also quite insecure since the drawn pattern has limited variations, and can be cracked by looking at the traces left on the screen and through direct observation [47].

Other manufacturers have experimented with graphical passwords, and a few have begun to examine the use of biometrics [48]. However, these experiments are in early stages and currently point towards the need for alternatives to passwords and PINs for protecting mobile devices.

Hardware tokens have been suggested for use in mobile device authentication. With this method, authorized users carry a small, physical object such as a keyfob or card that may be used in combination with a knowledge-based mechanism to authenticate the holder. Tokens may be used to authenticate to other computing systems such as ATM machines, but research

(29)

2.6. Biometrics 15 in this area also considers how a token owner can first authenticate to the token, then allow the token to manage further authentication requests from other computing systems. The first part of this dual authentication is of interest in this research; the second is out of scope. Since carrying a token may be seen by users as limiting [23] because it may be forgotten or lost, some researchers have focused on embedding a hardware token in a device that users al-ready carry [49]. Suggestions for tokens have included watches, jewellery, credit card-style cards [50] and mobile devices [51, 52]. Stajano [53] used the mobile device itself as the token, however none of the research to date has investigated this from a transparent perspec-tive. Transparency implies that the device owner does not explicitly provide information to authenticate, but is authenticated via information gathered while they go about other tasks on the device.

Other researched authentication methods include user’s social group [24, 54] (e.g., the people nearby who know the user can vouch for their identity) and computer use patterns [55, 56]. This latter area of research takes advantage of the distinctive ways in which people use computers, including mobile devices. For instance, the regular pattern of one person may be to check their email once per hour, and work on a word processing document in between these checks. For another, they may check their email more regularly and use a wider variety of programs in between checks. The research in this field focuses on determining whether these patterns of device use may be sufficient to verify the identity of the device user to a sufficient level of confidence.

2.6 Biometrics

Biometrics is defined as the “science of recognizing an individual based on her physiological and behavioral traits” [57]. A physiological biometric is one that is measured from the human body. Examples include iris and retina scans, fingerprints and facial recognition. Behavioralbiometrics rely on a person’s unique behaviors, i.e., how they do particular tasks. Key behavioral biometrics are signatures, gait, voice and keystroke dynamics.

Biometric traits are inextricably linked to the person who provided them since they cannot be shared and are unlikely to be stolen1_{, unlike passwords and PINs. Biometrics present an}

al-ternative to traditional knowledge- and ownership-based authentication (i.e., something you know and something you have, respectively). Support for biometrics has centered around memorability – biometrics cannot be forgotten. However, they are not universal: for exam-ple, approximately 2% of the U.S. population does not have viable fingerprints [58].

Further-1_{The word “stolen” in terms of a biometric pattern is not the same as “copied”. A person’s biometric trait}

may be copied after it is gathered, but in order to steal a physiological biometric, the thief must be in possession of the thing from which the biometric was gathered, for instance a finger or an eye.

(30)

2.6. Biometrics 16 more, there are issues with biometric matching ability. Women’s fingerprints are harder to match than men’s; they require about 150% the processing power of male fingerprints [58]. Biometrics are used for two purposes, as follows [59]:

1. Verification (a.k.a. authentication): the person providing the gathered biometric claims an identity, then the gathered biometric is compared to that of the claimed identity in the database. If they match, the person is granted access to the protected resource; otherwise they are not. Verification is called 1:1 matching. A person may claim an identity by providing a username, or using an identification card either with or without a chip that contains further information. Cards that contain chips, known as smart-cards, may also contain the known biometric for the card’s owner, which can reduce pattern matching times since the biometric system need not store patterns for all au-thorized users. For example, a bank may decide to use biometrics in conjunction with chipped debit or credit cards at its ATM machines. When the person inserts the card into the ATM, their fingerprint pattern is accessed from the chip on the card. Then, the ATM prompts the person to scan their fingerprint using the built–in scanner on the ATM. If the gathered and stored patterns match, the person may continue with their transaction. If there is no match, the transaction is not allowed. In this way, the ATM machines need not store a fingerprint for each bank customer in each ATM worldwide, or in a bank server.

2. Identification: recognizing a person who has not made a prior claim of identity via a match between the person’s offered biometric and any of those in a database of autho-rized people. The gathered biometric is compared to each pattern in the database until a match is found. If none exists, the person is rejected as unauthorized. Identifica-tion is called 1:N matching. This is a significantly more difficult and time–consuming process when compared to verification, but requires less information from the person offering the biometric. Identification can be used for “negative recognition”, which is when the biometric system determines if the person is who they implicitly or explicitly denyto be [60]. Logically, negative recognition is the opposite of verification and can be thought of as explicitly denying to be all people in the database except that person whose pattern matches the gathered biometric. Negative recognition is used to prevent people from claiming more than one identity. It can also be used in the case where the subject is not in a database. For instance, fingerprints may be used to identify a person who has been arrested in the past. In this case, a subject who has not been arrested previously claims that their identity is not in the fingerprint database.

Like traditional authentication mechanisms, biometrics also have issues that prevent them from being the method of choice in some cases. Jain et al. have proposed a list of desirable characteristics for biometrics that help address some of these issues, as follows [14, 59]:

(31)

2.6. Biometrics 17 Universality: the majority of system users should have the characteristic being used as a

biometric.

Distinctiveness: the characteristic should differ sufficiently between users to allow for iden-tity verification.

Permanence: the characteristic should not vary significantly over time. Collectability: characteristics must be measured quantitatively.

Performance: this encompasses concerns with accuracy, speed of matching, resources re-quired and operational factors. These should fit the needs of the system under design. Acceptability: refers to how willing people are to accept the biometric in their daily lives.

This trait also encompasses whether they consider the biometric a trustworthy authen-tication method.

Circumvention: indicates how easily a particular biometric can be used to fraudulently grant access to someone other than the biometric’s owner.

Most biometrics have several issues that make them poor choices for some users. A lack of universality leads to failure to enrol issues, where certain users may not use a biometric system because they cannot provide biometrics for comparison purposes. Failure to capture issues arise when performance degrades or has not been considered fully during the design process. Research into compensating for the variability and issues with individual biometrics has led to efforts into combining them into multimodal biometrics. Such combinations can often eliminate the weaknesses of individual biometrics.

Biometrics, both physiological and behavioral, have a strong history as an authentication and access control tool. The following sections introduce current work on the use of biometrics as an authentication method specifically for use with mobile devices. It does not include a discussion of biometrics on desktop or laptop computers. Thorough treatments of these topics can be found in [57, 59, 61–63].

2.6.1 Physiological Biometrics

Examples of physiological biometrics include fingerprints, palmprints, iris and retina scans and facial recognition. These biometrics generally require a method of obtaining them such as a scanner or camera, and a method of converting them from a detailed scan to a concise feature vector that represents the most salient (i.e., distinctive) parts. Each of these biometrics has strengths and weaknesses and the selection of which to use depends on the needs of the application that will deploy it. The biometrics listed above are discussed briefly below.

(32)

2.6. Biometrics 18 Fingerprint: the pattern of ridges and valleys on the fingertips. Fingerprints are distinct from finger to finger on the same person, and are different for identical twins. The accuracy of fingerprints in terms of verification is high – around 90% for a single index fingerprint [58]. Fingerprint readers are increasingly affordable (around USD $20 each for large orders) and are appearing on electronics such as laptops, tablet computers and mobile phones [48]. A detractor for fingerprint use, however, is that processing and matching the print requires large amounts of resources such as processor speed and memory, particularly when used for identification versus verification. Another potential issue is permanence, since fingerprints are sensitive to age, damage to the fingertip or loss of the finger. Once these are lost, the fingerprint cannot be used for identification. Furthermore, if a copy of the scanned fingerprint is stolen, it cannot be reset as can a password.

Palmprint: Much like fingerprints, the palm of the hand has ridges and valleys that are distinctive from person to person. The larger surface area of the palm compared to the fingertip is expected to provide more distinctive measurements. The tradeoff is an increase in pattern complexity and thus in matching. The larger palm area means that the scanners must be larger and likely more expensive. They are known to be distinctive [64], particularly when a high-resolution scanner is used. Palmprints are vulnerable to loss or injury to the hand, and are irreplaceable, much like fingerprints. Palmprint biometrics may be combined with scans of the veins in the hand to increase distinctiveness.

Retina: the blood vessels in the back of the eye have a distinctive pattern from person to person, including identical twins [63]. These patterns remain unchanged over a per-son’s life, unlike fingerprints. Retina biometrics are highly accurate and matching is quick. The subject must stand very close to a expensive and specialized scanner and remove glasses or contact lenses, which may limit acceptability. Retinal patterns may be altered by injury or medical conditions such as glaucoma and diabetes. Further-more, they are affected by severe astigmatism and cataracts, which may render them indistinctive in the elderly.

Iris: the colored region of the eye that is bounded by the pupil and the white area. It is a distinctive biometric pattern (even between twins) that can be gathered from a short distance using a dedicated scanner [63]. The iris can be scanned through glasses and contact lenses, although accuracy may be improved if they are removed. Commercially-deployed iris recognition systems are fast and accurate and are becom-ing more common-place. It is difficult to surgically alter the iris, and copies are quickly detected. However, irises can be damaged or lost due to injury or loss of the eye itself and are not easily replaced.

(33)

2.6. Biometrics 19 Face: is a common recognition method that people use regularly to identify those they have met in the past. The electronic version of facial recognition uses location and shape of facial features such as eyes, nose, eyebrows, lips and chin to create a distinctive pattern. The subject’s orientation to the camera, facial expression and lighting in the gathered images are known to be issues with facial recognition. Accuracy is known to be reasonable [64]. Facial recognition may be susceptible to circumvention via photographs held up to the camera.

Table 2.1 shows how each of these biometrics meets Jain’s seven biometric characteristics. For each biometric, a determination for its adherence to the characteristic in question has been made. The determinations are High (H), Medium (M) and Low (L), and have been selected by the author. For example, a determination of H for fingerprint universality implies that most people can be authenticated via a fingerprint scan. A determination of L for retina collectability means that there are issues surrounding collecting retina scans that stop it from being more highly collectable.

Characteristic Biometric Uni v ersality Distincti v eness P ermanence Collectability Perf ormance Acceptability Cir cumv ention Fingerprint H H M M M-L H H Palmprint H H M M M M M Retina H H H L M M L Iris H H H M H M L Face H M M H M M L

Table 2.1: Characteristics of selected physiological biometrics. The determinations of High (H), Medium (M) and Low (L) are the author’s interpretations.

Some of the issues with physiological biometrics, particularly collectability and circumven-tion, are addressed by the use of behavioral biometrics. Basing a biometric pattern on a person’s actions may be less distinctive, but they often do not require additional hardware and may be gathered while the subject engages in normal activities rather than requiring them to submit to a scan.

2.6.2 Behavioral Biometrics

Physiological biometrics can be limiting, particularly in a mobile device environment, be-cause they can require additional hardware to gather the biometric. Behavioral biometrics are

(34)

2.6. Biometrics 20 known to be less distinctive than physiological biometrics [65], but have several benefits over physiological systems. They are easy to gather while the subject goes about other tasks and thus are ideal for transparent authentication. Their collection does not usually require special hardware and thus may be more cost effective. Much research has been undertaken into var-ious possibilities, including keystroke dynamics [19, 66–68], speaker verification [69–71], touch screen interaction patterns [72] and device use patterns [55, 73]. The list below briefly describes key behavioral biometrics.

Signature: is the distinctive way in which a person signs their name. Signature metrics in-clude the writing instrument pressure (electronic signatures only), shape of letters and other additions such as dots and flourishes. It has long been accepted as a method of identification and verification by government and legal bodies as well as by the general public. It requires use of a writing instrument and either a paper or electronic surface upon which to sign, which are relatively low-cost. Signatures are highly susceptible to forgery, although signature verification by a person or improved pattern matching algorithms can improve these methods [74, 75]. Signatures can be highly variable and thus require acceptance within certain tolerances rather than exact matches.

Gait: is the characteristic way in which a person walks. Gait is a complex biometric because it combines spacial and temporal issues, in that both movement in a 3D space as well as the timing of each movement must be measured [76]. It uses hardware such as accelerometers and gyroscopes for measurement [77], which are common in mobile devices, as well as 3D cameras. Issues with gait include limited universality since those who cannot walk are immediately exempt, which includes young children, the elderly and infirm and people in wheelchairs. Gait may also vary depending on the subject’s weight, age and mental state, among others, and thus is not highly invariant [78]. It is computationally-intensive both in feature vector creation and matching due to the complexity of the data gathered.

Device Use: attempts to gather patterns in how subjects use devices such as desktop and laptop computers and mobile phones. Examples of device use include sequences of events, use of shortcuts versus menu items, and routes taken while walking or driv-ing [79]. These patterns, which can be gathered from such thdriv-ings as browser history and application notifications, are expected to be moderately distinctive, and require a relatively long training period [80]. They are subject to variability due to device changes (i.e., if the subject begins to use a new mobile phone), and changes to the functionality of the device (i.e., new software or programs on the computer). This sort of monitoring may be cause for concern in subjects due to its similarity to eavesdrop-ping.

(35)

2.6. Biometrics 21 Typing: The way a person types is expected to be distinctive and is known as keystroke dynamics[81]. Measurements of the speed, frequency of characters and n-grams as well as the pressure with which keys are pressed are gathered and combined into a distinctive pattern [18, 82]. It is considered discriminatory for verification but not identification [59]. This biometric is highly variable due to mental state, subject po-sition (i.e., standing, sitting or walking) and keyboard familiarity. It can be gathered using a standard keyboard while the subject goes about other tasks. Privacy issues in-clude fear of keylogging. Keystroke dynamics may be subject to replay and imitation attacks, although the latter may be more difficult.

Voice: is both a physiological and a behavioral biometric. The physiological aspects include measurements of voice features that change due to the distinctive shape of the subject’s features such as larynx, glottal folds, mouth and lips [59]. The behavioral aspects include pronunciation, word frequency and use and accent. The physiological aspects are relatively invariant over a person’s life, but the behavioral aspects may be affected by mood, state of mind, age and medical conditions such as the common cold. Voice biometrics are not very distinctive and unsuitable for large-scale deployment due to issues with contamination from other noise during recording [83]. It is subject to misuse due to recording and replaying a subject’s voice, and it can be gathered without the subject’s knowledge.

Table 2.2 shows the biometrics described above in relation to Jain’s seven biometric char-acteristics. As with the physiological biometrics discussed in the previous section, a deter-mination of High (H), Medium (M) or Low (L) denotes how well the biometric adheres the characteristic. The individual determinations are based on the author’s opinions and knowl-edge of biometrics. Characteristic Biometric Uni v ersality Distincti v eness P ermanence Collectability Perf ormance Acceptability Cir cumv ention Signature H M L H M H M Gait L M L H M H L Device Use L M L H M L L Typing H M L H M M M Voice H M M H M H M

Table 2.2: Characteristics of selected behavioral biometrics. The determination of High (H), Medium (M) and Low (L) are based on the author’s opinions.

(36)

2.6. Biometrics 22 The biometric chosen should reflect expected use in the regular context. The current research in mobile device authentication has examined these, and other, behavioral biometrics. How-ever, studying the literature in the wider field of authentication may provide a basis for new research in mobile authentication.

In 2008, Yampolskiy and Govindaraju published a survey paper on behavioral biometrics [65], with the intent of gathering different types of behavioral biometrics and outlining studies that have been based on them. The biometrics included programming style and “soft” behav-ioral biometrics such as word knowledge and mathematical ability, and biometrics such as keystroke dynamics and gait analysis. Yampolskiy and Govindaraju’s work provides a basis for selecting behavioral biometrics to use for a particular purpose.

While the 2002 study by Clarke et al. [18] showed the applicability of various biometrics to mobile device environments, their determination of such applicability was based on devices available in 2002. Other researchers have since attempted to use the increasingly feature-rich mobile devices developed since that time to test a wide range of behavioral biometrics including speaker recognition, signatures and handwriting, touching and tapping and device use patterns. In 2004, Gamboa and Fred published a study on using captured taps via a pointing device (a mouse) [55], and while their study does not specifically refer to mobile devices, their method has the potential of being adapted to touch-based mobile devices since they gather the clicked location itself rather than relying on what specifically performed the click (e.g., finger or mouse). The main contribution of Gamboa and Fred’s research is in the biometric feature selection decisions, which are the specific parts of a biometric pattern that make it distinctive from those of others; these are the parts that are presented to the pattern classifier.

One interesting advantage that touch–screen mobile devices have is that touches have been shown to contain potentially distinctive patterns, although it does not deliver the level of assurance required for authentication. Frank et al. performed a study (N = 41) to examine the applicability of screen touches as a behavioral biometric for use in a continuous authen-tication system [72]. Their study resulted in misclassification error rates in the range of 4%, which although quite low, is not low enough to support authentication unless it is combined with another biometric.

Many other behavioral biometrics have been considered for authentication. Examples in-clude device use patterns (also called service utilization) [12, 56, 79, 80, 84], signatures and structured writing [85, 86], gestures and gait [87] and mouse movement [88–90]. The com-mon thread running through all of these methods is that there is much uniquely identifying information in behavioral biometrics, and these methods lend themselves to a transparent authentication method.

A framework for continuous, transparent authentication on mobile devices

Crawford, Heather Anne (2012) A framework for continuous, transparent

authentication on mobile devices.

PhD thesis

http://theses.gla.ac.uk/4046/

Copyright and moral rights for this thesis are retained by the author

A copy can be downloaded for personal non-commercial research or

study, without prior permission or charge

This thesis cannot be reproduced or quoted extensively from without first

obtaining permission in writing from the Author

The content must not be changed in any way or sold commercially in any

format or medium without the formal permission of the Author

When referring to this work, full bibliographic details including the

author, title, awarding institution and date of the thesis must be given

A F

RAMEWORK FOR

C

ONTINUOUS

,

T

RANSPARENT

A

UTHENTICATION ON

M

OBILE

D

EVICES

H

EATHER

A

NNE

C

RAWFORD

S

CHOOL OF

C

OMPUTING

S

CIENCE

C

S

E

U

G

Table of Contents

List of Tables

List of Figures

Chapter 1

Introduction

1.1

The Problem

1.2

The Solution: Teaching Computers to “Know” Their

Owner

1.3

The Transparent Authentication Framework

1.4

Research Question

1.4.1

Research Hypotheses

1.5

Main Contributions of this Research

1.6

Dissertation Structure

Chapter 2

Background

2.1

Authentication and Access Control

2.2

Textual Passwords and the Password Problem

2.3

Alternatives to Passwords

2.4

User Acceptance of Secret-Knowledge Mechanisms

2.5

Mobile Device Authentication

2.6

Biometrics

2.6.1

Physiological Biometrics